Application Security Services

The first steps in securing the design, development and secure deployment of custom applications is to know the threats through application security testing. Only then can you secure the network, host an application, and later incorporate security into your development process. Vulnerable web-facing applications are rapidly becoming the most popular attack vector of malicious hackers. Application code vulnerabilities and design flaws are the new battleground in information security.

The sophistication of tools and attack methods has exposed information, applications and developers to an onslaught of risk. In addition, the use of mobile devices is skyrocketing with commercial entities adopting mobile-based applications for retail sales floors, restaurants and dining rooms, distributed mobile banking, just to name a few.

Cautela Labs Application Security Services provides a thorough test of your application(s) to uncover vulnerabilities. Our application security services identify security gaps and provide recommendations to remediate risks. We review applications to validate that known vulnerabilities published by the Open Web Application Security Project (OWASP) have been addressed. We will provide guidance for secure coding practices including unit tests methodology that is based on a security threat model created for your application or organization.

Source Code Review:

Application source code review is an essential part of Application Security Audits. A source code review is the most comprehensive and reliable way to discover and eliminate various vulnerabilities in your application, whether it's a simple web application or complex data management software. Cautela Labs security engineers' experience allows us to perform source code review on a wide range of programming languages, such as ASP, Visual Basic, Java, C/C++, Objective-C, C#, and even assembly code.

Sometimes it is difficult to discover vulnerability or weakness in applications without a thorough source code review. Such vulnerabilities are often discovered by hackers, who use them to compromise up-to-date systems even when the most recent patches have been installed.

A source code review is also the best way to detect intentional or accidental backdoors and logic bombs in applications that you acquire from third-parties or develop in-house. Certain security standards (such as PCI DSS) demand that a source code review is conducted prior to production usage of software to identify potential coding vulnerabilities.

Source code reviews are an essential part of Static Application Security Testing (SAST) which, unlike the Dynamic Application Security Testing (DAST), requires thorough examination of each line of the application code to detect complex errors and programming mistakes. Gartner recommends the use of both approaches to achieve the highest level of security. At Cautela Labs, we always try to combine SAST and DAST software testing techniques to deliver the most in-depth testing for each of our customers.

We achieve the highest quality of source code review by leveraging automated tools (such as CodeScout, CodeAssure, FlawFinder, RATS, FindBugs, FxCop, PMD, SWAAT, RIPS, Brakeman, VCG and others) with in-depth manual analysis of code by our security auditors. Possible aspects of application security are tested, including:

  • Insufficient filtration of user-supplied data
  • Improper memory management and buffer boundary checks
  • Application logic flaws and race conditions
  • Authentication and authorization bypass
  • Usage of unsafe methods and functions
  • Sensitive information disclosure

During source code reviews of web applications, web-specific vulnerabilities such as Cross-Site Scripting, SQL Injection, Cross-Site Request Forgery, Arbitrary Code Injection and XML Injection can be detected.

Information Risk Assessment

Cautela Labs helps you via its information risk analysis methodology to analyze business information risk and select the right controls to mitigate that risk.


Professional Services

FISMA

Services to help federal agencies and their affiliates in their FISMA compliance efforts to improve your security controls in accordance with NIST SP 800-53 for security controls.


Compliance